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We present a new technique for proving the security of quantum key distribution (QKD) proto- 
cols. It is based on direct information-theoretic arguments and thus also applies if no equivalent 
entanglement purification scheme can be found. Using this technique, we investigate a general class 
of QKD protocols with one-way classical post-processing. We show that, in order to analyze the full 
security of these protocols, it suffices to consider collective attacks. Indeed, we give new lower and 
upper bounds on the secret-key rate which only involve entropies of two-qubit density operators and 
which are thus easy to compute. As an illustration of our results, we analyze the BB84, the six- 
state, and the B92 protocol with one-way error correction and privacy amplification. Surprisingly, 
the performance of these protocols is increased if one of the parties adds noise to the measurement 
data before the error correction. In particular, this additional noise makes the protocols more robust 
against noise in the quantum channel. 
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I. INTRODUCTION 

Classical key distribution schemes can only be se- 
cure under strong assumptions, e.g., that the computing 
power or the storage capacity of a potential adversary is 
limited. In contrast, quantum key distribution (QKD) al- 
lows for provable security under the sole assumption that 
the laws of physics are correct. This ultimate security is 
certainly one of the main reasons why so much theoret- 
ical and experimental effort is undertaken to investigate 
QKD protocols and, in particular, to make them practi- 
cal 0,SS 

One of the most challenging theoretical problems in the 
context of QKD is to determine sufficient and/or neces- 
sary conditions for the security of QKD protocols. This 
is exactly what we are concerned with in this paper. To 
be more precise, we investigate the security of a general 
class of QKD schemes which includes the most popular 
ones such as the BB84, the six-state, and the B92 pro- 
tocol 0, 0, @ • Our results hold with respect to a model 
where two legitimate parties, traditionally called Alice 
and Bob, are connected by a quantum channel as well as 
an authentic, but otherwise fully insecure, classical chan- 
nel |2^. We assume that Alice's source as well as Bob's 
detector are perfect, whereas an adversary (Eve) might 
have full control over the quantum channel |29| 

QKD protocols can usually be divided into a quantum 
and a classical part: In the quantum part, the transmit- 
ter (Alice) sends qubits (or more generally, some d-level 
physical systems) prepared in certain states to the re- 
ceiver (Bob). The states of these qubits are encodings 
of bit values randomly chosen by Alice. Bob performs a 
measurement on the qubits to decode the bit values. For 
each of the bits, both the encoding and the decoding are 
chosen at random from a certain set of operators. Af- 
ter the transmission step, Alice and Bob apply a sifting 
where they publicly compare the encoding and decoding 
operator they have used and keep only the bit pairs for 
which these operators match. 



Once Alice and Bob have correlated bitstrings, they 
proceed with the classical part of the protocol. In a 
first step, called parameter- estimation, they compare the 
bit-values for a randomly chosen sample of their strings, 
which gives an estimate for the quantum bit error rate 
(QBER), i.e., the fraction of positions where Alice and 
Bob's strings differ. Note that the QBER is a direct 
measure for the secrecy of Alice and Bob's strings, since 
any eavesdropping strategy would, according to the laws 
of quantum mechanics (no-cloning theorem) perturb the 
correlations between them |3Cj . If the QBER is too high, 
Alice and Bob decide to abort the protocol. Otherwise, 
they apply a classical (post) -processing protocol to dis- 
till a secret key, using either one-way or two-way classi- 
cal communication. One-way post-processing protocols 
usually consist of error correction and privacy amplifi- 
cation |3l| . For the error correction, Alice sends certain 
information to Bob such that he can reconstruct Alice's 
string. Once Alice and Bob have identical strings, pri- 
vacy amplification is used to compute a final key on which 
the adversary has virtually no information. We shall see 
that the performance of such one-way protocols can gen- 
erally be increased if Alice additionally applies some pre- 
processing to her initial string before starting with the 
error correction. 

Any realistic quantum channel is subject to noise. 
Consequently, even in the absence of an adversary Eve, 
the QBER is non-zero. On the other hand, Eve might in 
principle replace the real (noisy) quantum channel with 
an ideal noise-free channel and could thus tap mildly into 
the quantum communication such as to introduce pre- 
cisely the original amount of noise. Hence, when proving 
the security of a protocol, one has to assume that all the 
noise is due to Eve. This raises the following question: 
What is the maximum QBER, i.e., the maximum toler- 
ated channel noise, such that Alice and Bob can still gen- 
erate a secure key? Clearly, the answer to this question 
depends on the amount of information that Eve might 
have gained by her attack. 
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Ideally, one does not want to impose any restriction 
on Eve's power. That is, any strategy allowed by the 
laws of physics has to be considered. On the other hand, 
the set of all possible attacks is usually difficult to han- 
dle. In order to cope with these conflicting objectives, 
three classes of attacks have been considered. The small- 
est class only contains the so-called individual attacks, 
where Eve is restricted to interacting with each of the 
signal systems sent by Alice separately. That is, for each 
of the signal systems, Eve attaches an auxiliary system 
and applies some fixed unitary operation. Finally, Eve 
measures each of these systems individually right after 
the sifting step, i.e., before Alice and Bob start with the 
classical processing. The class of collective attacks is de- 
fined similarly, but the last requirement is dropped. That 
is, Eve might wait with her measurement until the very 
end of the protocol. In particular, the measurement she 
chooses might depend on the messages Alice and Bob 
exchange for error correction and privacy amplification. 
Moreover, she might measure all her auxiliary systems 
jointly. Not much is known about this class, and research 
has more concentrated on the class of coherent attacks, 
which is the most general one. In particular, Eve might 
let all the signal systems interact with one large auxiliary 
system, which she only measures at the very end of the 
protocol. 

Many of the previous security proofs of QKD pro- 
tocols are based on the following observations H, 0, 0, 

1. Instead of preparing a system in a certain state and 
then sending it to Bob, Alice can equivalently pre- 
pare an entangled state, send one of the qubits to 
Bob, and later measure her subsystem. In doing so, 
she effectively prepares Bob's system at a distance. 

2. If the joint system of Alice and Bob is in a pure 
state, then it cannot be entangled with any third 
party; in particular it cannot be entangled with 
any of Eve's auxiliary systems. Hence, simple mea- 
surements provide Alice and Bob with data totally 
oblivious to Eve. 

3. If furthermore the state shared by Alice and Bob 
is maximally entangled, then their measurement 
results are maximally correlated. Hence, if Alice 
and Bob performed some entanglement purification 
protocol |l2l I13I , they would end up with the de- 
sired secret bits. 

4. Since one is interested in the security of protocols 
implemented with nowadays technology, Alice and 
Bob's operations should not require the storage of 
quantum states, i.e., one does not want them to run 
a general entanglement distillation protocol. To 
overcome this problem, one uses the fact that cer- 
tain entanglement distillation protocols are math- 
ematically equivalent to quantum error correction 
codes. There exists a class of such codes, called 
CSS codes, which have the property that bit errors 



and phase errors can be corrected separately. Since 
the final key is classical, its value does not depend 
on the phase errors. Hence, Alice and Bob actu- 
ally only have to correct the bit-errors, which is a 
purely classical task. 

This method for proving the security of QKD protocols 
is very elegant, but raises two different questions. First, 
is the detour via entanglement purification really neces- 
sary? Is it optimal? Or might other methods lead to 
better results? Secondly, must all cryptographers learn 
the intricate theory of entanglement? Is there an expla- 
nation of the results within the language of information 
theory? As we shall see, the theory of entanglement pu- 
rification, as explained above, is not necessary and also 
too pessimistic (from Alice and Bob's point of view). 

In fact, we present a technique for proving the security 
of QKD protocols which does not rely on entanglement 
purification. Instead, it is based on information-theoretic 
results on the security of privacy amplification |l4l Il5| , 
which have first been applied in [16] to analyze the se- 
curity of a generic QKD protocol similar to the one we 
are considering here [3^| (see also for a similar ap- 
proach). Since secret key agreement might be possible 
even if the initial quantum state, the state Alice and 
Bob share before error correction and privacy amplifica- 
tion, does not allow for entanglement purification, our 
method generally leads to more optimistic results than 
any method based on entanglement purification. In ad- 
dition, we show that the final key is secure according to a 
so-called universally composable security definition. This 
implies that the key can safely be used in any arbitrary 
context. Remarkably, this is not the case for most of the 
known security definitions (cf. discussion in [T^V 

One interesting example illustrating the strength of our 
technique is the BB84 protocol or the six-state protocol, 
where, in the classical processing step, Alice additionally 
adds some (large) amount of noise to her measurement 
data. We show that, surprisingly, this noise generally 
increases the rate at which Alice and Bob can generate 
secret key bits. However, the density operator of Alice 
and Bob's system after the noise has been introduced is 
not entangled, i.e., any security proof based on entangle- 
ment purification fails. 

The paper is organized as follows: In Section [Q] we 
describe and analyze a generic QKD protocol using one- 
way classical post-processing. According to the discus- 
sion above, the protocol is subdivided into a quantum 
and a classical part. In Section 111 Al which is devoted to 
the quantum part, we review our result presented in |18| . 
It states that the density operator describing Alice and 
Bob's information after the quantum communication can 
be considered to be a symmetric (with respect to permu- 
tations of the qubit pairs) Bell-diagonal state. The clas- 
sical part of the protocol is then studied in Section III Bl 
Using some recent results of classical and quantum infor- 
mation theory |!5lll9| . we analyze the performance of the 
classical post-processing. In Section ITTT1 we combine the 
main statements of Sections III Al and III Bl and derive an 
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expression for the secret-key rate which only involves a 
minimization over a certain set of two-qubit states which 
correspond to collective attacks. In Section llVl we give 
an upper bound on the secret-key rate for any protocol 
with one-way classical post-processing, again involving 
only two-qubit density operators. Finally, in Section Ivl 
we apply our methods to the BB84, the six-state, and 
the B92 protocol. In addition, we show that the effi- 
ciency of each of these protocols can be increased if one 
of the parties adds noise to her measurement data. 



II. A GENERAL QKD PROTOCOL USING 
ONE-WAY COMMUNICATION 

In this section, we describe a general class of QKD pro- 
tocols employing one-way classical post-processing. This 
class contains the BB84, the six-state, and the B92 proto- 
col 0, 0, @ > among many others. Each of these protocols 
consists of a quantum and a classical part: The quan- 
tum part includes the distribution and measurement of 
quantum information, and is determined by the operators 
Alice and Bob use for their encoding and decoding. Sec- 
tion lll Al is devoted to the analysis of this part. Generally 
speaking, we review our result proven in [18j which states 
that the density operator describing Alice and Bob's sys- 
tem after the distribution of quantum information can be 
assumed to be symmetric (cf. equation Q). Section Hi Bl 
deals with the classical part of the QKD protocol, i.e., pa- 
rameter estimation and post-processing. We first give a 
description of a post-processing scheme and then derive 
an expression for the maximum length of the key that 
this scheme can generate, depending on the information 
that Alice and Bob share after the quantum part of the 
QKD protocol. 

To simplify the presentation of our results, we assume 
that the physical systems which Alice sends to Bob are 
qubits. However, a generalization to higher dimensions is 
straightforward. Throughout the paper, we use the fol- 
lowing notation: Vectors (h, . . . l n ) are denoted by bold 
letters 1. We use capital letters as subscripts for density 
operators, e.g., <jab, to denote the subsystems they act 
on. A bold letter indicates that the corresponding sub- 
system is itself a product of many (identical) systems. 
Furthermore, for any state |<E>), P|$) = |<E>) (<I>| is the pro- 
jector onto 1$). 



A. Quantum part: Distribution of quantum 
information and measurement 

The quantum part of a QKD protocol is specified by 
the encoding and decoding operations employed by Alice 
and Bob. For the following, we assume that Alice uses 
m different encodings, with index j G J := {1, . . . ,m}. 
For each j € J, \(f>j) and denote the states used to 
encode the bit values and 1, respectively. 

In the first step of the protocol, Alice randomly 



chooses n bits Xi,...,x n and sends n qubits prepared 
in the states j^ 1 ) , ■ ■ ■ , |^|™) to Bob, for randomly cho- 
sen encodings j\,...,j n . Upon receiving these states 
(which might have undergone some perturbation, pos- 
sibly caused by an attack) Bob applies his measurements 
to obtain classical bits (yi, ■ ■ ■ ,y n )- Finally, Alice and 
Bob employ a sifting sub-protocol, where they only keep 
the qubit pairs for which the encoding and the measure- 
ment operation that they have applied are compatible. 

As demonstrated in |18| . this protocol can equiva- 
lently be described as a so-called entanglement-based 
scheme |2jj. For this purpose, we define the encoding 
operators Aj := |0) ((0°)*| + |1) ((</>})* | and the decod- 
ing operators Bj = |0) (4>) \ ± + |1) ^ , where {|0) , |1)} 
is some orthonormal basis, in the following called z-basis. 
For x = 0, 1 and j G J, |0) ((</>°)*| denotes the complex 

conjugate of in the z-basis, and is some (not 

necessarily normalized) state orthogonal to \4>j)- 

For the entanglement-based scheme, Alice simply pre- 
pares n two-qubit systems in the state A^cgil |3> + ), where 
|$+) = 1/V2(|0, 0) + 1 1, 1) ) , and sends the second qubit 
to Bob. Then, Bob randomly applies one of the opera- 
tors Bj to the qubit he receives. Finally, Alice and Bob 
measure their systems and associate to the outcome the 
bit values or 1. 

The description of a QKD protocol as an entangle- 
ment-based scheme is very convenient for the security 
analysis. In particular, instead of considering the quan- 
tum communication between Alice and Bob, it suffices to 
have a characterization of the quantum state p^B ne ld 
by Alice and Bob before they apply their measurements. 

Consider now a slight extension of the protocol where 
Alice and Bob randomly permute the positions of the 
measured bit pairs and, additionally, at each position, flip 
the values of both bits with probability one half. In the 
entanglement based version of the protocol, these (purely 
classical) operations can equivalently be applied to the 
initial quantum state p\ B of Alice and Bob. For the 
following, we restrict our attention to the partial state 
/°AB " containing only the ridata particle pairs which are 
later used for the computation of the final key (but not 
for parameter estimation) and which are measured with 
respect to the z-basis [34|. (To keep the notation simple, 
we write in the following n instead of n^ata-) The com- 
mon bit-flip is then described by the quantum operation 
&x <S> cr x . Moreover, we can assume that Alice and Bob 
apply random phase flips cr z ® a z to their qubit pairs, 
since these do not change the distribution of the classi- 
cal measurement outcomes. The resulting state p\-q of 
Alice and Bob is thus given by p\ B = Vf ™(P«(Pab)) 
where the operator V n denotes the completely positive 
map (CPM) which symmetrizes the state with respect to 
permutations of the n qubit pairs, and where the CPM 
T>2 describes the operation where both a x ®a x and a z ®a z 
are applied with probability i. This is equivalent to the 
random application of any of the operators 1® 1, <j x ®<j x , 
Uy ® a y , or a z ® er z , i.e., T>i can be interpreted as the 
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action of a depolarizing channel transforming any two- 
qubit state to a Bell-diagonal state. Consequently, as 
shown in , p AB has the simple form 

n 

PAB ~ ^ ] Pn 1 ,n2,n 3 .n i Pn 1 ,n 2 ,n 3 .n i ■ (1) 
n 1 ,n 2 .n 3 ,n i 

In this formula, the sum is taken over all n\, ri2, n%, m € 
No satisfying m + n 2 + n 3 + n 4 = n and Atni,n2,n 3 ,n 4 are 
some (real-valued) non-negative coefhcients. Moreover, 
/ 3 ni.n 2 ,n3,n4 is the state of n qubit pairs defined by 

Pn 1 ,n 2 ,n 3: n 4 • — I nl,- r |$ 1 ) ^ - r |$ 2 ) ^^1*3) ^ |<I> 4 > / ' V Z / 

where P^ l} := P|*+), P|$ 3 ) := P|*->, P|$ 3 ) := Pj*+), 
and -P|$ 4 ) := P*-> are projectors onto the Bell states 
|$±) = 1/V2|0,0)±|1,1) and |*±) = l/y/2 |0, 1)±|1, 0)). 
Note that the state (QJ is, independently of the protocol, 
separable with respect to the different qubit pairs. 

To prove the security of our protocol, we will assume 
that Eve has the purification of the state QJ, which 
clearly includes all the information she possibly can get. 
It is explained in 0] that, if the encoding operators Aj 
are unitary, then this assumption is also tight, i.e., there 
actually exists an attack which provides Eve with this 
purification. 

Formula is already sufficient to prove our main re- 
sults (see Section ITTTT) . However, to simplify the analysis 
of certain protocols, it is often convenient to consider the 
additional symmetrization (see |18|) given by the CPM 
T>\ defined by 

V x (p) =1/NJ2 PjA, ® Bj {p)A\ ® B) . (3) 
j 

Here pj > denotes the probability by which Alice and 
Bob decide (during the sifting phase) to keep their bits, 
if they have applied the operation Aj ® Bj, and N is 
used for the normalization. All classical data of Al- 
ice and Bob (including the bits used for parameter es- 
timation) are then given by a measurement of the state 
V 2 (® n (Vf n ){V n {p n AB ))) with respect to the z-basis. 

B. Classical part: Parameter estimation and 
classical post-processing 

This section is devoted to the description and analy- 
sis of the classical part of the QKD protocol. We will 
use here techniques which partly have been developed 
in 0| . Assume that Alice and Bob already hold strings 
X = (Xl, . . . , X n ) and Y = (Yi, . . . , Y n ), respectively, 
which they have obtained by measuring n particle pairs 
Pab distributed in the first part of the QKD protocol, 
as described in Section Til Al Their goal is to generate a 
secure key pair (S^, Ss), using X and Y. 

The protocol we consider consists of two sub-proto- 
cols, called parameter estimation and classical (post- 
processing. The main purpose of the parameter estima- 
tion sub-protocol is to estimate the amount of errors that 



have occurred during the distribution of the quantum in- 
formation (see Section Hi Aj l. To do this, Alice and Bob 
compare the measurement outcomes for some randomly 
chosen qubit pairs. If the quantum bit error rate is above 
a certain threshold QBER, they decide to abort the pro- 
tocol. 

In order to analyze a given QKD protocol, we need to 
characterize the initial states p\ B for which the protocol 
does not abort. Clearly, this characterization depends 
on the threshold QBER. Let T be the set of all two- 
qubit states oab which correspond to a collective attack, 
meaning that there exists an operation of Eve such that 
Pab = a AB- The set Tqber is then defined as the sub- 
set of T containing all states aAB for which the protocol 
does not abort (with probability almost one). In other 
words, if uab S rQBER, then the protocol is supposed 
to compute a secret key when starting with p A b = a AB ■ 
We will see in Section lLTTl that the characterization of the 
set rQBER is sufficient to compute lower bounds on the 
secret-key rate. 

After the parameter estimation, if the estimate for the 
QBER is below the threshold, Alice and Bob proceed 
with a classical sub-protocol in order to turn their only 
partially secure strings X and Y into a highly secure 
key pair (S^, Ss). The protocol we consider is one-way, 
i.e., only communication from Alice to Bob is needed. It 
consists of three steps: 

I) Pre-processing: Using her bit string X, Alice com- 
putes two strings U and V, according to some chan- 
nels U <— X and V <— U, defined by conditional 
probability distributions -Pu|x an< i Pv|u> respec- 
tively. She keeps U and sends V to Bob. (We 
will see that, for most protocols, the performance 
highly depends on a clever choice of U, whereas the 
string V is usually not needed.) 

II) Information reconciliation: Alice sends error cor- 
rection information W on U to Bob. Using Y, V, 
and W, Bob computes a guess U for U. 

Ill) Privacy amplification: Alice randomly chooses a 
function F from a family of two-universal hash 
functions [3^| and sends a description of F to 
Bob. Then Alice and Bob compute their keys, 
S A = F(U) and S B = F(U), respectively. 

Before starting with the analysis of this protocol, let 
us introduce some notation. It is most convenient to 
describe the classical information of Alice and Bob as 
well as the quantum information of the adversary Eve by 
a tripartite density operator pxY e of the form 

pIye = E Pxy ( x ' y) p i*> p iy> ( 4 ) 

any- 
where {|x)} x and {|y)} y are families of orthonormal vec- 
tors and where p^ y is the quantum state of Eve given 
that Alice and Bob's random variables X and Y take 
the values x and y, respectively. Similarly, the classical 
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key pair (Sa, Sb) together with the adversary's informa- 
tion p S £i' SB after the protocol execution is described by a 
quantum state ps A s B E' ■ We say that (Sa, Sb) is e-secure 
(with respect to Pe 1 ) if 

S(ps a s b e',^2Ps(s)Pi s} ® P\ s) ®pe>) <e (5) 

where Ps is the uniform distribution over all possible keys 
s and where S(-, •) denotes the trace-distance. This im- 
plies that the state ps A s B E' describing the key of Alice 
and Bob together with the adversary's quantum system 
is close to a state where the adversary's system is com- 
pletely independent of the key. 

The goal of the remaining part of this section is to de- 
rive an expression for the number £ n of e-secure key bits 
that can be generated by the above protocol, for an opti- 
mal choice of the protocol parameters. For this purpose, 
we first consider some fixed pre-processing, specified by 
the channels U <— X and V «— U, for which we compute 
the maximum key length ^u^x v^u ■ The quantity £ n is 
then obtained by optimizing over all choices of the pre- 
processing. 

Our result is formulated in terms of an information- 
theoretic quantity, called smooth Renyi entropy 0] (see 
Appendix ^ for more details) . Similarly to the Shan- 
non entropy H(X), the smooth Renyi entropy of a ran- 
dom variable X, denoted by H^(X), is a measure for 
the uncertainty about the value of X. We will also need 
an extension of this entropy measure to quantum states. 
Similarly to the von Neumann entropy S(p), the smooth 
Renyi entropy S^(p) of a state p quantifies the amount 
of randomness contained in p. 

The main ingredient needed for the following deriva- 
tion is a recent result on the security of privacy amplifi- 
cation (see Lemma l€\2|) . Generally speaking, it says 
that the length of the key that can be extracted from a 
string U held by both Alice and Bob is given by the un- 
certainty of the adversary about U, measured in terms 
of smooth Renyi entropies. Applied to the last step of 
our protocol, we get 

^u^x,v^u ~ ^KPuvwb) — ^o(Pvwe) , (6) 

where e depends on the desired security of the final key 
and where the approximation "w" means that equal- 
ity holds up to some small additive term of the order 
0(log(l/e)). In this formula, pfj VW£ is the density op- 
erator describing the strings U, V, and W, together with 
the adversary's knowledge, i.e., 

PUVWE 

= X! - p XYUvw(x,y,u,v,w)P| u) (g)^ t , ) (g)^ U)) (g) y o^ y 

x,y.u,v,w 

where {|u)} u , {|v)} v , and {|w)} w are families of or- 
thonormal vectors. Note that, since the channel con- 
necting Alice and Bob might be arbitrarily insecure, the 



key must be secure even if the adversary knows V and 
W. 

In the next step, we will eliminate the dependence on 
Win @. For this, we consider the amount m of (use- 
ful) information contained in W. Since W is needed by 
Bob in order to guess U, m depends on his uncertainty 
about U. In fact, if an optimal error correction code 
is applied, then m is roughly equal to the entropy of U 
conditioned on Bob's information Y and V. More pre- 
cisely, using Lemma I (J. 31 described in Appendix El we 
have m » Hq(U|YV). Hence, when omitting W on 
the right hand side of JSJ), the smooth Renyi entropies 
cannot decrease by more than m (see Appendix ^ for 
a summary of the properties of smooth Renyi entropy). 
We thus immediately obtain 

^^ V ^SUp^E)-S e (pl E )-H^U\VY) . (7) 

Since the channels U «— X and V <— U applied by Al- 
ice in the first step of the classical post-processing proto- 
col are arbitrary, we can optimize over all choices of such 
channels. We thus conclude that the number £ n of key 
bits that can be generated by the described protocol, for 
an optimal choice of all the parameters, is given by 

r « sup s s M VE ) - s^m e ) - he(u\vy) . (8) 

u^x 

In the following, we will often consider protocols where 
the strings U and V are computed bit-wise from the 
string X. The maximum length of the secret key that 
can be generated by such a protocol is then given by an 
expression similar to (JSJl , but where the supremum is only 
taken over bit- wise channels U <— X and V <— U. 



III. A LOWER BOUND ON THE SECRET-KEY 
RATE 

The goal of this section is to derive a lower bound for 
the secret-key rate which only involves two-qubit states 
and which is thus easy to compute. For this purpose, 
we use the general expression |JHJ of Section III Bl for the 
number of key bits that can be generated from a given 
state, together with the fact that, after symmetrization, 
any state of Alice and Bob has the simple form (|TJ- 

Let us start with a description of our main result. 
Consider the QKD protocol described in Section [HI 
where we assume that Alice uses bit-wise channels U *— 
X and V <— U to compute U = (Ui,...,U n ) and 
V = (Vi, . . . , V n ), respectively, from her data X = 
(Ai, . . . , X n ). Let Tqeer be the set of two-qubit density 
operators <jab defined in Section III Bl i.e., the protocol 
aborts (with high probability) whenever it starts with a 
product state (ctab)®™ for any gab £ Fqber- We show 
that, for an optimal choice of the parameters, the proto- 
col of the previous section, generates secret key bits at 
rate r := \mx n -^oo ^- where 

r > sup inf (S{U\VE) - H{U\YV)) . (9) 
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In this formula, S(U\VE) denotes the von Neumann en- 
tropy of U conditioned on V and Eve's initial informa- 
tion, i.e., S(U\VE) := S(a UVE ) - S(a VE ). The state 
&UVE is obtained from gab by taking a purification 
Q abe of the Bell diagonal state cr^f := T>2((Jab) EH 
and applying the measurement of Alice followed by the 
classical channels U <— X and V <— U. Similarly, Y is 
the outcome of Bob's measurement applied to the second 
subsystem of oabe- 

As ijjjj involves a minimization over the set Tqber of 
two-qubit states, our lower bound on the secret-key rate 
only depends on the set of possible collective attacks. On 
the other hand, the security we prove holds against any 
arbitrary coherent attack. Note also that the statement 
extends to the situation where Alice — instead of applying 
a bit- wise pre-processing on each of the n bits — uses some 
operation involving larger blocks, say of length m. In 
this case, one has to consider all attacks U® r where the 
adversary applies the same operation U on each of the 
r = — blocks. 

A crucial task when computing explicit values for (J9J 
is to characterize the set Tqber, This set is determined 
by the conditions under which the protocol aborts. In 
Section we will demonstrate how formula ijjjj is com- 
puted for concrete QKD schemes such as the BB84 or the 
six-state protocol. It turns out that, in these examples, 
the maximum is taken if V <— U is the trivial channel 
where V is independent of U, i.e., the random variable 
V can be omitted. 

One method to further reduce the number of param- 
eters is to consider the set T>2(Di(Tqber)), which only 
contains normalized two-qubit density operators of the 
form 

p^X] = AiPj* +) + X 2 P\<s,-) + A 3 i> +) + A4P1*-), (10) 

i.e., Eq. for n = 1. As mentioned in Section [II Al 
(see [13] for details), the state shared by Alice and Bob 
is — independently of the considered protocol — measured 
with respect to the z-basis. Hence, we obtain for the 
QBER Q, computed as an average over the different en- 
codings, Q = A 3 + A4. Apart from that, the state must 
be normalized, which implies that, for any given value 
of Q, there are at most two free parameters, A2, and A3, 
i.e., Ai = 1 - Q - A 2 , A 4 = Q - A3. 

To prove @, we will make use of a known result 0] 
on the relation between the statistics obtained when ap- 
plying two different measurements £ and T on the indi- 
vidual subsystems of a symmetric n-partite state p n (cf. 
Lemma IC.ll in Appendix Q. Let Z = (Z\, . . . , Zk) be 
the outcomes when applying £ to each of the first k sub- 
systems of p n , for k < n, and let Qz be the frequency 
distribution of the symbols in the string Z, i.e., for any 
possible measurement outcome z, 



Similarly, let Qz' be the frequency distribution of the 
outcomes Z' = (Z[, . . . , Z' k ,) of T applied to k! of the 



remaining n — k subsystems of p n . Lemma IC.ll implies 
that, if k and k! are large enough, then, with probability 
almost one, there exists a density operator er on one sub- 
system which is compatible with both of these statistics. 
Formally, this means that Qz ~ Ps M an d Qz ~ P? [<?] , 
where Ps [a] and Pp [a] denote the probability distribu- 
tions of the outcomes when measuring a with respect to 
£ and T ', respectively. Moreover, the state a is contained 
in a certain set B which, roughly speaking, contains all 
density operators which correspond to the state of one 
single subsystem of p n , conditioned on any measurement 
on the remaining subsystems. 

We are now ready to prove expression 10 for the secret- 
key rate. As in Section III Al we consider an extension 
of the protocol where, before invoking the classical part 
of the QKD protocol, Alice and Bob symmetrize their 
strings X and Y. More concretely, they both apply 
the same randomly chosen permutation on their strings. 
Clearly, this is equivalent to a protocol where Alice and 
Bob first permute and then measure their bits (see Sec- 
tion ^^J. The state p^B of Alice and Bob's system 
before the measurement is then symmetric. We can thus 
assume without loss of generality that the first n pc qubit 
pairs are used for the parameter estimation, while the 
actual key is generated from the measurement outcomes 
obtained from the next ndata pairs. 

Consider now some fixed protocol where the pre- 
processing is defined by the channels U <— X and V <— U. 
We show that this protocol is secure as long as the rate 
at which the key is generated is not larger than 

ru^x,v^u= mf (S(U\VE) - H(U\YV)) . (11) 

^AB^rQBER 

In other words, rjj^xy^- u is the rate that can be 
achieved if the channels U <— X and V <— U are used 
for the pre-processing. The assertion then follows by 
optimizing over all channels for the pre-processing. 

The proof of lfTT|) is subdivided into two parts. In 
the first part, we show that the parameter estimation 
works correctly, i.e., if the adversary introduces too much 
noise, then the protocol aborts. The second part of the 
proof is concerned with the security of the classical post- 
processing step, that is, if the noise is below a certain 
level, then the final key is secure. 

For this analysis, we need to consider the state 
/ , AB + " data °f t ne qubit-pairs used for parameter estima- 
tion and classical post-processing. However, in order to 
simplify the presentation of the proof, we assume that 
there is a small number n aux := n — n pc — n^ata > 
of additional two-qubit pairs which are not used by the 
protocol [3^ |. In order to get some information about 
the structure of the state /0 ™p^ + ™ data ; we consider a mea- 
surement £bo\i with respect to the Bell basis applied to 
each of the remaining n aux positions of p^B- We then 
analyze the security of our QKD protocol conditioned on 
the statistics Qw of the outcomes W = (W±, . . . , W„ aul ) 
of this measurement. We show that the protocol is secure 
for all values of Qw, which implies that the protocol is 
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secure in general (with probability almost one). 

Formally, let Ps BoU [Fqber] be the set of probability 
distributions obtained by measuring the states oab £ 
Tqber with respect to the Bell basis. We prove the fol- 
lowing two statements: 

1. If Qw ^ ^Boii Pqber] then the protocol aborts 
after the parameter estimation, i.e., no key is gen- 
erated. 

2. If Q w G f£ B cii Fqber] then the key generated by 
the classical post-processing is secure. 

To prove statement ^ let F be the measurement that 
Alice and Bob apply to each of the n pe qubit pairs used 
for parameter estimation and let Q pe be the frequency 
distribution of the measurement outcomes of T . Since 
the state p^B i s symmetric, we can apply Lemma IC.ll 
described above, where B is defined by the set V of 
all two-qubit states characterizing the collective attacks 
of Eve, as described in Section III Bl Hence, there ex- 
ists a state gab £ F (of a single qubit pair) which is 
compatible with both the statistics Q pc and Qw, i-e., 
Pf[o-ab] » Qpc and P£ Bo „[<jab\ ~ Qw- Assume now 
that Q w 4- -RebciiFqber]- Because of P £bo11 [<tas] ~ Qw, 
this implies that a ab $ Tqber- On the other hand, since 
Pf[&ab] ~ Qpo, the statistics Q po corresponds to the fre- 
quency distribution obtained when measuring each of the 
rip C subsystems of the product state ((TAB)® npB with re- 
spect to T . Hence, by the definition of the set Fqber, 
the protocol aborts. 

We proceed with the proof of statement For any 
frequency distribution Q, let Pab|Qw=Q ^ e ^ ne state of 
the ridata qubit pairs used for generating the final key, 
conditioned on the event that the statistics of the mea- 
surement outcomes of the 7t aux auxiliary pairs is equal 
to Q. Assume now that Alice and Bob measure their 
data bits according to one fixed basis j^l], called z-basis, 
and, additionally, apply common random bit-flips. Then, 
according to the discussion in Section fll Al it is sufficient 
to consider states of the form In particular, the con- 
ditional state PAB t |Q w =Q can ^ e wr itten as 



"AB|Qw=Q 



711,712,713,714 



where Pn 1 ,n2,n 3 ,n 4 is defined by (J2J). Hence, if we applied 
the Bell measurement fseii to each of the ridata subsys- 
tems, then, for any 4-tuple (711,712,713,714), with prob- 
ability /Jni,n 2 ,n3,n 4 , the resulting frequency distribution 
Qdata would be equal to Q ni ,n 2 ,n 3 ,n^ ■= (v' 77- 77' ~n )• 
On the other hand, it follows directly from Lemma fC. II 
(with £ = T = £ Bell) that Qdata ~ Qw holds with proba- 
bility almost one. Hence, the coefficients ^, llin2in3i n 4 can 
only be non- negligible if Qn 1 ,n 2 ,n :i ,n i is close to Qw, that 
is, we can restrict the sum in l)12fl to values {n\ , 77,2 , 713 , 714) 

Such that Qm,n2,n3,n4 ~ Q- 

Consider now the product state (cr J 4s) 8 ™ data , where 
gab ■— pMQ] is the two-qubit state depending on Q 



as defined by (|10|) . Since the state (<JAB)^" aata is sym- 
metric, we can also write it in the form l|12|) . with 
some coefficients Mni na n 3 714 • Again, these coefficients 
can only be non-negligible if Q ni ,n 2 ,n3,n4 is close to Q. 
Hence, the states Pab|q w =Q and ( cr ^s) <8l " data have the 
same structure <|12[) where the coefficients /^m ,712,713,714 
and p! ni 

,n2,n 3 , 714 are negligible except for Qni, 712,713,714 ~ 
Q. Using this fact, it is a consequence of the results 
presented in Appendix IA 31 that the smooth Renyi en- 
tropies of the states derived from Pab'i Q W =Q are roughly 
equal to the corresponding entropies of the states derived 
from (cab) 8 " 00 '". To make this a bit more precise, let 
P^ve\q w =q be the state obtained when applying the 
measurement of Alice followed by the channels U <— X 
and V *— U to each of the subsystems of a purification 



and 



Then, Lemma lA.31 implies that 



QS( n d ata 

°2\Puve\Q w = 



5 o(Pvb|q w =q) » n data S(a VE ) 

where (Juve is the state obtained from oab '■— P [Q], as 
described after JSJ|. 

Using these identities, it follows from (JJJ that the final 
key generated by the protocol of the previous section, for 
fixed channels U <— X and V <— U, is secure as long as 
its length is not larger than 

£u^x,V<-u[vab] ~ n deita (S{<j UV E)-S(avE)~H(U\VY)) 

for (Tab = P 1 [Q]- In other words, Iu<^x,v<-u[&Ab\ is 
the length of a secure key that can be extracted when 
applying the protocol to a state of the form /°ab|Qw=0' 
Since the final key must be secure for all possible ini- 
tial states for which the protocol does not abort, we have 
to take the minimum of this quantity over the states 
oab = pHQ], for any Q e P £bc11 [Fqber] ■ Since, accord- 
ing to HI U|l , p 1 [Q] is diagonal, the minimum ranges over 
all diagonal states cr^f whose diagonal elements corre- 
spond to Q € -PfBdi (Fqber) • This is equivalent to say 
that the diagonal elements of cr^f are equal to the diag- 
onal entries of a density operator a ab € Tqber, i-e., the 
number i of key bits generated by the protocol is given 
by 



^u^xy^u 



inf 

O AB £TqbeR 



£u^x,v^uWab S ] 



where ajjj — 



= T>2{(Jab) 
of lfTT|) and thus also © ■ 



This concludes the proof 



IV. AN UPPER BOUND ON THE SECRET-KEY 
RATE 

As demonstrated in Section II I II the rate of a QKD 
protocol is lower bounded by an expression which only 
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involves von Neumann entropies of states of single qubit 
pairs (cf. |J3J). In the following, we show that, roughly 
speaking, the right hand side of J§J is also an upper 
bound on the rate if the supremum is taken over all quan- 
tum channels (instead of only classical channels) U <— X 
and V <- X. 

Clearly, in order to prove upper bounds, it is sufficient 
to consider collective attacks. We thus assume that the 
overall state P^bb °f Alice's, Bob's, and Eve's quantum 
system has product form, i.e., p n ABE — cr® BE , f° r some 
tripartite state ctabb- Hence, before starting with the 
classical processing, the situation is fully specified by the 
n- fold product state <Jxye> wnere &xye is the state ob- 
tained when applying Alice's and Bob's measurements to 
@ abe- Similarly to ctxye can be written as 

ctxye = ^2 Pxy(x, y)P\ x ) <8> P\ y ) O <J E ' y . 

We show that the rate t(ctxye) a t which secret key 
bits can be generated from this situation, using only a 
public communication channel from Alice and Bob, is 
upper bounded by 

r(a XYE ) < sup (S(U\VE)) - S(a u{YV )) . (13) 

a v <-X 

In this formula, the supremum is taken over all density 
operators and a v depending on x. The density op- 
erators occurring in the entropies are then given by the 
appropriate traces of 

(Juvye ■= P xy{x, y) a'u(g>a^(g> P {y) ® a% . (14) 

A similar upper bound for the key rate follows from a 
result of Devetak and Winter [25|. In contrast to (|13fl . 
their formula involves an additional limes over the num- 
ber n of product states, whereas the supremum only in- 
volves classical channels U <— X and V *—U. 

Because of the optimization over the density operators 
afj and <jy, expression (|T3)l is generally hard to evaluate. 
To simplify this computation, it is convenient to consider 
measurements of Eve, resulting in classical values Z. In 
this case, the bound corresponds to a known result due 
to Csiszar and Korner [2(|, 

r(X,Y,Z) = sup (H(U\VZ)) - H(U\YV)) . (15) 

u<-x 

The proof of the upper bound (|13[) is subdivided into 
two parts: First, in Section TlV Al we give general condi- 
tions on a measure M such that M(uxye) is an upper 
bound on the rate r axYB . Second, in Section llV Bl we 
show that the measure M defined by the right hand side 
of l|13|) satisfies these conditions. 

A. General properties of upper bounds 

Let M be a real- valued function on the set of tripartite 
density operators. We show that M{oxye) is an upper 



bound on the rate t„ xye if the following conditions are 
satisfied. (Here, we also write M(X; Y; E) instead of 
M(<jxye)- Moreover, if a random variable X' is com- 
puted from X, we write X' <— X .) 

1. M(af YE ) < nM(axYE), for any n G N. 

2. M(X'; Y; E) < M(X; Y; E) for X' <- X. 

3. M(X; Y'\ E) < M(X; Y; E) for Y' <- Y. 

4. M(XC; YC; EC) < M (X; Y; E) for C <- X. 

5. There exists a function a with lim e ^o a {s) = such 
that, for any state ps A s B E describing an e-secure 
key pair of length I (cf. ©), 

M( PSaSbE ) > (1 - a{e))l . 

Consider an arbitrary secret-key agreement protocol 
and assume that the protocol starts with n copies of the 
state cjxye- Let Ps A s B E' be the overall state of Alice's 
and Bob's key and Sb, respectively, together with the 
adversary's information E' after the protocol execution. 
Then, using properties we find 

nM(a X YE) > M(aT YE ) > M( P % aSbE ,) . (16) 

For any n £ N, the resulting state must be £(rt)-close to a 
state describing a secret key of length £(n), for e(n) — > 
as n approaches infinity. Hence, from 11()|) and prop- 
erty [SJ 

£(n) 

M (ctxye) > lim = r(a X YE) , 

n — >oo TL 

which concludes the proof. 

B. A concrete expression for the upper bound 

Let M be the measure defined by the right hand side 
of l(T3")l. i.e., for any tripartite density operator <jxye, 
M (ctxye) ■= M (X; Y; E) is given by 

M(X;Y;E) := sup (S(U\VE) - S(U\VY)) . 

The goal of this section is to show that this measure 
satisfies the conditions of Section IIV Al which implies 
that M(<txye) is an upper bound on the secret-key rate 

r(<J X YE)- 

Let us start with property ^ It suffices to show that, 
for any state ct X yex'y'E' ■= cjxye <S> ctx'y'e', 

M (XX'; YY'; EE') < M(X; Y; E) + M(X'; Y'\ E') , 
i.e., 

sup S(U\VEE') - S(U\VYY') 

{ir,v)<-(x x x>) 

< sup S(U\VE) - S(U\VY) 

(U,V)^X 

+ sup S(U'\V'E')- S(U'\V'Y') . 

{U',V')<-X' 
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where (U,V) <- X (and likewise {U',V) <- X' and 
(U, V) <— (X, X')) means that the density operators 
afj and a v used for the definition of ouve and ouvy 
(cf. I|14|)l are computed from the classical random vari- 
able X. The left hand side of this expression can be 
upper bounded by 

sup S(U\VEE') - S{U\VYE') 

(U,V)^(X,X>) 

+ sup S(U\VYE') - S(U\VYY') . 

(U,V)<-(X,X') 

It thus remains to be shown that for any (U, V) <— 
{X,X') there exists (U, V) <- X such that 

S{U\VEE')-S{U\VYE') < S{U\VE)-S{U\VY) (17) 

and, similarly, for any (U, V) <— (X, X') there exists 
([/', V ) <- X' such that 

S{U\VYE') - S{U\VYY') < S(U'\V'E') - S(U'\V'Y') . 

(18) 

Inequality (|17H follows from the observation that 
(U,V,E') <- X <- (Y,£) is a Markov chain [U, that 
is, we can set U := U and V := (V,E'), in which case 
the left hand side and the right hand side of l|17fl become 
identical. Inequality l|18|) follows similarly from the fact 
that (U,V,Y) <- X' <- (Y',E') is a Markov chain, i.e., 
we can set U' :— U and V' := (F, Y) to obtain equality. 
To prove property|21 that is, for any X' «— X, 

sup ^(c/'if'e) - ^j/'iy'y) 

< sup s(i/|ve) - 5(171 vy) , 

(J7,V)<-X 

it suffices to show that if ([/', V) <— X' <— (X, Y, E) is a 
Markov chain then (W, V ) <- X <- (Y, £7) is a Markov 
chain. This is true since X' <— X <— (Y", £7) is a Markov 
chain. 

For property|31 we need to show that, for any Y' «— Y, 
sup S(U\VE) - S{U\VY') 

(U,V)<-X 

< sup S(U\VE) — S(U\VY) . 

This is however a direct consequence of the strong sub- 
additivity, implying that 

S(U\VY') > S(U\VY'Y) = S(U\VY) , 

where the equality is a consequence of the fact that Y' 
Y <— (U, V) is a Markov chain. 

To prove property 01 i.e., for C <— X, 

sup S(U'\V'EC) - S(U'\V'YC) 

(U',V')^(X,C) 

< sup S(U\VE) -S(U\VY) , 



note that (U 1 , V, C) <- X <- (Y, E) is a Markov chain. 
We can thus set U :— U' and V :— (V , C), in which case 
the left hand side and the right hand side of the above 
expression become equal. 

It remains to be shown that property |S] holds. Let 
Ojj := P\ x \ and let a v be an arbitrary state independent 
of x. Then, from Lemma lB.21 

M(S A ; S B ;E) > S(S A \E) - S^Ss) 

> S(S A ) - y/2k - l/e - S{S A \S B ) , 

where M(S A ; Ss; E) := M(ps a s b e)- The assertion then 
follows from the fact that 

I(S A ;S B ) > ((l- £ -2h(e)))£ . 

V. EXAMPLES: THE SIX-STATE, BB84, AND 
B92 PROTOCOLS 

To compute expression © for the secret-key rate, we 
have to optimize over the choices of the channels U <— X 
and V «— U used for the classical processing. Clearly, 
every choice of these channels gives a lower bound on 
the rate. Surprisingly, for the QKD protocols considered 
below, a good choice is to define U as a noisy version 
of X, while V is set to a constant, i.e., it can be dis- 
carded. For the protocol, this means that, before doing 
error correction, Alice should simply add some noise to 
her measurement data. Intuitively, this puts Bob into a 
better position than Eve, since the effect of this noise on 
the correlation between Alice and Eve is worse than on 
those between Alice and Bob. 



A. Six-state protocol 

The six-state protocol @ uses three different encod- 
ings, defined by the z-basis {\0) z , |l) z }, the x-basis 
{|0) a ,|lU := {VV2(|0) Z ± |1)J}, and the y-basis 
{|0), , \l) y } := {1/V2(\0) z ±i |1) J}. Alice and Bob mea- 
sure the QBER for each of these encodings. This gives 
three conditions on the diagonal entries Ai, . . . , A4 (with 
respect to the Bell basis) of the states a AB contained 
in the set Tqber over which we have to minimize (see 
equation @). In particular, if the QBER equals Q for 
all encodings, we get A 3 + A4 = Q, A 2 + A 4 = Q, and 
A2 + A3 = Q. Together with the normalization, we im- 
mediately find Ai = 1 — \Q and A2 = A3 = A4 = ^Q. 

In order to evaluate the entropies occurring in expres- 
sion ©, we need to consider a purification \tp) ABE of the 
diagonalization T>2((J AB ) oia ABl i.e., 

4 

WABE ~ V>H |*i>AB ® \ v i>E ' 
i=l 

where \®i} AB , ■ ■ ■ , \®4} AB denote the Bell states in Alice 
and Bob's joint system (with respect to the z-basis |4jj) 
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and where E , ■ • ■ , E are some mutually orthogonal 
states in Eve's system. It is easy to verify that, if Alice 
and Bob apply their measurements (with respect to the 
z-basis), resulting in outcomes x and y, respectively, the 
state of Eve's system is given by \0 X ' V ), where 



3 > 



L > = ^( 



5 ) = ^( 



1 

V2 
1 

V2 
1 

i 

3 



(VAi>i) E + 
*i Wi)e- 

(V^j|»*}b + 

As \va) E - 



A 2 \v 2 )e) 
A 2 \V2) E ) 
A 4 \Va) B ) 
A 4 \Va) e ) 



In particular, the density operators a E an d a E describing 
Eve's system, if Alice has the value or 1, respectively, 
are given by a E — iPgo.o) + ^P\ga,i\ and a E — hP\$i,o\ + 
We can write these states with respect to the 
basis {\u ) E , \v 3 ) B }, 

\ 



A3 ±V A3A4 

iyAsAl A 4 J 



( Ai i\/ Ai A2 

±\/ Al A2 A2 


\ 



where ± is a plus sign if x = and a minus sign if x = 1 . 

As mentioned above, we define f/ as a noisy ver- 
sion of X, with bit-flip probability q, i.e., fj/|x=o(l) = 
ftrix=i(0) — 1- Moreover, V is set to a constant, 
which means that it can simply be omitted. Using 
the fact that S(UE) = H(U) + S(E\U), and, similarly, 
H(UY) = H{U) + H(Y\U), the entropy difference on the 
right hand in the supremum of @ is given by 

S(U\E)-H{U\Y) = S(E\U)-S(E)-(H(Y\U)-H(Y)) 

with 



S(E\U) = - g)a° + qa E ) + ±S(qv% + (1 - q)a E ) 

S(E) = S{\a% + \a E ) . 

Furthermore, H{Y) = 1 and 

H(Y\U) = h[q(l-Q) + (l-q)Q] , 

where h is the binary entropy function. 

These expressions can easily be evaluated numerically. 
For an optimal choice of the parameter q, we get a pos- 
itive secret- key rate if Q < 0.141. Without the pre- 
processing, we obtain the known bound Q < 0.126 9] 
(see Fig. Remarkably, this bound has already been 
improved to Q < 0.127 |9| using degenerate quantum 
codes, which can be interpreted as a certain type of pre- 
processing. 

Another method to obtain conditions on the set Tqber 
in is to use some additional symmetrization. For 
this, we consider the operator T>\ as defined by © with 



r > 



new bounds 
previous bounds 
O.K. 



14.1 



12.7 



16.3 i 
16.6 
15.7 



FIG. 1: Lower and upper bounds on the maximally tolerable 
QBER Q in percent for the six-state protocol. The last line 
(O.K.) indicates the QBER such that I(X; Y) = I(X; Z) = 
I(Y; Z) where X and Y is Alice's and Bob's classical infor- 
mation, respectively, and where Z is the classical information 
that Eve can gain in an individual attack. 



A x = V x , A 2 = V y ,A 3 = V z and B 1 = V X ,B 2 
V z , where V x ,V y ,V z denote the unitary operators trans- 
forming the z-basis into the x, y, z-basis, respectively. 
This implies that T> 2 ('D i(cr^ B )) = AiP|$+) + A 2 -P|$-) + 
AaPum + A4P1 



where A3 + A4 = 2\ 2 . As explained 
m |18( , we can, instead of T> 2 , apply another symmetriza- 
tion operation V 2 {p), e.g., 



v' 2 { P ) = Y J o l l ®o[p (o;)t®(oj) 



(19) 



where 0[ € {UV : U e {1, o>, diag(-i, 1), diag(i, 1)} 
andy S {1, fia;}}. Apart from depolarizing any state 
to a Bell-diagonal state, this map also equalizes the 
coefficients A3 and A4 in (|10f> . This implies that 
Z>£(X>i (Tqber) = _{(l-3Q/2)P| $+) +Q/2(P| f - >+ffa +) + 
Pi^-\)}. Thus, using this method, we find right away all 
the necessary conditions on the set Tqeer- 

Finally, we can use l|15fl to compute an upper bound on 
the secret-key rate of the one-way six-state protocol. Let 
again |6* 0,0 ) and be the states of Eve conditioned 

on the event that Alice and Bob have the values (0, 0) 
and (1,1), respectively. If the adversary applies a von 
Neumann measurement with respect to projectors along 
Tsd^ + ll? 1,1 )) and -^(|0°.°)-|0i.i)), resulting in Z, 
we get r(X, Y, Z) = whenever Q > 0.163. 



B. BB84 

The BB84 protocol Q is very similar to the six-state 
protocol, but uses only two of the three bases for the 
encoding. Hence, one only gets two conditions on the 
diagonal entries Ai , . . . , A4 (with respect to the Bell basis) 
of the density operator o ab , namely A3 + A 4 = Q and 
A2 + A 4 = Q. Hence, the set Tqeer contains all states 
with diagonal entries Ai = 1 — 2Q + A 4 and A2 = A3 = 
Q — A4, for any A4 € [0, Q}. 

The evaluation of © now follows the same lines as 
described above for the six-state protocol. A straight- 
forward calculation shows that, independently of the 
amount of noise added in the pre-processing, expres- 
sion 10 takes its minimum for A4 = Q 2 . When opti- 
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FIG. 2: Lower bound on the secret-key rate of the BB84 
protocol as a function of the QBER Q. The dashed line rep- 
resents the known result Q, whereas the full line shows our 
new lower bound. The insert shows the optimal value q op t 
for the probability by which Alice has to flip her bits in the 
pre-processing phase. 



mizing over the preprocessing (i.e., the amount of noise 
introduced by Alice) we get a positive rate if Q < 0.124 
(see Fig. Note that, without the pre-processing, we 
obtain Q < 0.110, which is exactly the bound due to 
Shor and Preskill |8j. Computing the upper bound l|15l) 
reproduces the known result sayin g th at the (one-way) 
secret-key rate is zero if Q > 0.146 [24| . 



C. B92 

In contrast to the BB84 and the six-state protocol, Al- 
ice uses two non-orthogonal states 6] \tp°) — a |0) +j3 11) 
and j^ 1 ) = a |0) — /? |1) to encode her bit-values and 
1, respectively, where a and (3 are (without loss of gen- 
erality) real coefficients with a 2 + (3 2 = 1. Bob ran- 
domly applies a measurement with respect to the basis 
, l^ ) -1 } or {j^ 1 ) , ((ys 1 ) -1 }, where \(fi x )' L denotes the 
normalized vector orthogonal to \<p x ), for x = 0, 1. He 
then assigns the bit values and 1 to the measurement 
outcomes (v? 1 ) 1 ^ and |(/3 ^, respectively. In the sifting 
step, Alice and Bob discard all bit pairs where Bob mea- 
sured \tpo) or \<fi). 

In order to evaluate expression @, we will rely on 
some of the calculations presented in [lfj. We first 
need a description of Alice and Bob's data bits after 
the sifting step. Note that, in contrast to the BB84 
or the six-state protocol, the sifting only depends on 
the measurement outcomes of Bob. Therefore, we con- 
sider the state obtained from the operation 1a <8> B, with 
B := |0) ((p 1 ^ + |1) (¥> | i applied to each of the qubit 




FIG. 3: Lower bound on the secret-key rate of the B92 pro- 
tocol, for a = 0.38 (see text for an explanation of the param- 
eter 5). The dashed line represents the known result without 
pre-processing |T^|. whereas the solid line is our new lower 
bound on the rate when Alice additionally adds noise q op t to 
her measurement data. 



pairs. Note that this corresponds to the application of the 
map T>\ (see I0). Tqeer is then defined as the set of all 
states cab which can result from this operation (applied 
to any two-qubit density operator which corresponds to a 
collective attack of Eve) and, in addition, are compatible 
with the QBER. In ^(| , explicit conditions on the diago- 
nal entries (with respect to the Bell basis) of these states 
have been computed. In particular, the first two diagonal 
entries are Ai = (1 — Q)^p- and A 2 = (1 — Q)-^p where s 
is the scalar product between the states of the adversary, 
conditioned on the event that Alice and Bob have the val- 
ues (0,0) and (1,1), respectively. This characterization 
is already sufficient to obtain reasonable lower bounds on 
the rate 

Similarly to the previous examples, adding noise on 
Alice's side turns out to be useful. The results of our 
computations are summarized in Fig. 03 parameterized 
by the noise 6 of a corresponding depolarizing channel 
p i— ► (1 — 26) p + 61 [4l|. The rate is positive as lon g as 
6 < 0.0278 (compared to 6 £ 0.0240 without noise ]TlI 
Hflf). Within the region shown in the figure, the relation 
between the parameter 6 and the QBER is Q w 26 |42| . 



VI. CONCLUSIONS AND OPEN PROBLEMS 

We have analyzed a general class of QKD protocols 
with one-way classical post-processing, thereby using a 
technique which is not based on entanglement purifica- 
tion. We have shown that, in order to guarantee security 
against the most general attacks, it is sufficient to con- 
sider collective attacks. Moreover, we have derived a new 
general lower bound on the secret-key rate (formula (JjJJ) 
which is very similar to the well-known expression for 
the classical one-way secret-key rate due to Csiszar and 
Korner [2^| . While the latter applies if the information of 
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the adversary is purely classical (i.e., if she is restricted 
to individual attacks), expression can be seen as a 
quantum version of it. 

In order to evaluate 10, one only needs to optimize 
over a certain set of two-qubit density operators, which 
is characterized by the possible collective attacks on the 
specific protocol. We have illustrated this for some of 
the most popular QKD schemes, namely the BB84, the 
six-state, and the B92-protocol, with one-way classical 
post-processing, say, from Alice to Bob. Surprisingly, our 
results imply that the performance of these protocols can 
be increased if Alice introduces noise to her measurement 
data. In particular, we get new lower bounds on the 
maximum tolerated channel noise which are between 10 
and 15 percent larger than the previously known ones. 

While our method allows to exactly analyze the se- 
curity of a general class of QKD protocols with one-way 
post-processing, it is still an open problem to identify the 
protocols which achieve the maximum rate. In particu- 
lar, we do not know whether a bit- wise pre-processing 
is optimal, or whether it might be more advantageous 
for Alice and Bob to process larger blocks. Note, how- 
ever, that the upper bound (|T3l on the secret-key rate of 
one-way protocols essentially has the same form as the 
lower bound 0, but involves a maximization over cer- 
tain quantum states instead of only classical random vari- 
ables. The question of whether bit-wise pre-processing is 
optimal thus reduces to the problem of proving that these 
two expressions are equal. 
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APPENDIX A: SMOOTH RENYI ENTROPY 
1. Basic properties 

Smooth Renyi entropy has been introduced in |19| in 
order to characterize fundamental properties of classical 
random variables. For instance, the e-smooth Renyi en- 
tropy of order of a random variable X conditioned on 
Y, denoted Hq(X\Y), measures the minimum length of 
an encoding C of X such that X can be reconstructed 
from C and Y, except with probability roughly e. Sim- 
ilarly, the e-smooth Renyi entropy of order 2, denoted 
i/f (A|y), quantifies the amount of uniform randomness 
independent of Y that can be extracted from X (with 
probability roughly 1 — e). 

In , the notion of smooth Renyi entropy has been 
generalized to quantum states. For a density operator 
p, we denote by S^{p), the e-smooth Renyi entropy of 
order a of p. Similar to the von Neumann entropy, S^{p) 



is defined as the (classical) smooth Renyi entropy of the 
eigenvalues of p, interpreted as a probability distribution. 
We also write S^{UV) instead of S^ipuv) and, similarly, 
S%(U) instead of S^ipu), where pu is the partial state 
pu := tr v (puv)- 

We start reviewing some basic properties of smooth 
Renyi en trop y of quantum states. The proofs can be 
found in [Bj and [l5j . Most of these properties are very 
analogous to the properties of the von Neumann entropy 
S(-). For instance, if puv is a state on Hu (g> Ti-v, then 
the difference between S^(UV) and S^(U) is bounded by 
the entropy of V, which corresponds to the well known 
fact that S(U) - S(V) < S(UV) < S(U) + S(V): For 
a = 2, we have 

S £ 2 (UV) < S £ 2 +e ' \U) + S" ' (V) (Al) 
Sl +e ' (UV) > Sm - S E ' (V) (A2) 

and, similarly, for a = 0, 

S^' (UV) < S^U) + S £ a ' (V) (A3) 

S £ (UV)>S^'(U)-S £ '(V) . (A4) 

Consider now a bipartite state puz on Hu ® Jiz where 
the second part is purely classical, i.e., 

Puz= y £ J Pz{z)p z u ®P\ z) , 

z 

for some probability distribution Pz and a family of 
orthonormal vectors {|z)} z on Tiz- Then, the smooth 
Renyi entropy cannot increase when conditioning on Z, 
that is, 

Sl{U\Z) < S° a (U) , (A5) 

for a = and a — 2. The following inequalities can 
be interpreted as extensions of the chain rule S(U Z) = 
S(U\Z) + S(Z) to smooth Renyi entropy: 

Sl(U\Z) < St £ '(UZ) - Hl'(Z) (A6) 
S^' +£ "{U\Z) > Si(VZ) - Hf(Z) - 21og(l/e) (A7) 

Sl(U\Z)>Sl +£ '(UZ)-Hl{Z) (A8) 
S £+£ ' +£ "(U\Z) < S £ '(UZ) - Hf(Z) + 21og(l/e) . 

(A9) 

More generally, let puzv be a density operator on Hjj <8> 
Ttz®Tiv such that the states on Ttu and Hy only depend 
on the classical subsystem Hz, i.e., there exist density 
operators p\j and py on Hjj and Tiv, respectively, such 
that 

Puvz = p z( z )Pu ® Pv ® P\z) , 

z£Z 

where Pz is a probability distribution and {|z)} z e,z a 
family of orthonormal vectors on Hz- Then 

S e 2 +e '{UVZ) > S e 2 {U\Z) + si(VZ) (A10) 
S e + e '{UVZ) < S £ (U\Z) + S £ (VZ) . (All) 
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The following identities are useful to determine the 
conditional smooth Renyi entropy S^(U\Z) if the smooth 
Renyi entropy S%(U\Z = z), conditioned on certain val- 
ues z, is known. For any z £ Z, let e z := e ■ Pz{z). 
Then 

S**(U\Z)<SI(U\Z = z) (A12) 
So'(U\Z) > S £ {U\Z = z) . (A13) 

Additionally, for any set 2c2 such that Pr z [z £ Z] > 
l-e, 

SI +e '(U\Z) > min S £ 2 '(U\Z = z) (A14) 
S e Q +e '(U\Z) < maxSf;(U\Z = z) . (A15) 

z£Z 

Similarly to the von Neumann entropy, the smooth 
Renyi entropy can only increase when applying a unital 
quantum operation £ j^j, that is, 

SU£{ P u)) > S S M . (A16) 

for any a £ M+ and e £ K + . 

The smooth Renyi entropies of order a are related for 
different values of a. In particular, we have 

SI(U) < S^U) , (A17) 

where the approximation holds up to 0(e). Finally, the 
smooth Renyi entropy of an n-fold product state p® n 
approaches the von Neumann entropy. Formally, for any 

a £ R+ and e £ E+, 

\SU P ® n )-nS(p)\ <0(log(l/e)) . (A18) 



2. Smooth Renyi entropy and measurements 

Let £ be a measurement defined by a family of oper- 
ators {E z } zeZ . Let pfj := £(pu) = Y.z E zPu E l be the 
state of the quantum system after applying £ to a den- 
sity operator pu, and let Z be the classical measurement 
outcome, i.e., Pz{z) ■— ti(E z puEl), for z £ Z. We have 
seen in the previous section (see HA16I) ) that the entropy 
S^(U) of p^ can only be larger than the entropy S E a (U) 
of pu if £ is unital. The following lemma states that the 
maximum increase of the smooth Renyi entropy when ap- 
plying £ is bounded by the entropy Hq(Z) of the classical 
measurement outcome Z. 

Lemma A.l. Let pjj be the state obtained when applying 
the trace-preserving measurement £ to pu and let Z be 
the classical outcome. Then, for e,e' £ K + , 

S$(U) < S £ 2 +e ' \U) + HI (Z) (A19) 
S^' (U) < S" (U) + HI' (Z) . (A20) 



Proof. Let T be the linear operation from Jiu to Hq^Hz 
defined by 

T: |¥>>— >X)(£,|¥>»®|z> , 

for any \tp) £ TLjj, where {|z)} 2 is a family of orthonor- 
mal vectors in TLz- Let p'^ z := TpuT^. It is easy to 
verify that p v = tr z(p' uz ), and that the eigenvalues of 
p' z correspond to the probabilities Pz{z). Hence, since 
the smooth Renyi entropy of quantum states is defined 
by the classical smooth Renyi entropy of its eigenvalues, 
we have S£ (p' z ) — H e a (Z). Moreover, because £ is trace- 
preserving, i.e., J2zez E tE z = %, we have T^T = 
Consequently, p'^ z has the same eigenvalues as pu, i.e., 
S a(P uz ) = S a(Pu)- Hence, using (X2j|, we find 

SI(Po) = S s 2 (tT Z (p'- z )) < S^'(p' 0z ) + So (p'z) 

= st s '(pu)+m'(z) , 

which concludes the proof of (|A19|) . Inequality (|A20|) 
follows by the same argument, where 1)A2|) is replaced 
by (53J|. □ 

A similar relation holds between the smooth Renyi en- 
tropy S^,{U) of the original quantum state pu and the 
entropy S%(U\Z) of the state p v after the measurement, 
conditioned on the classical outcome Z. Lemma [A. 21 bc- 
low states that the difference between these entropies is 
roughly bounded by the entropy Hq(Z) of Z. 

Lemma A. 2. Let pjy be the state obtained when apply- 
ing a von Neumann measurement £ to a state pu ■ Let 
S^(U\Z) be the entropy of p v , conditioned on the classi- 
cal outcome Z . Then, for e, e' , e" £ K + , 

S S 2 +S '(U)>SI(U\Z)-H^'(Z) (A21) 

SI(U) < S^' +S "(U\Z) + HI'(Z) + 21og(l/e") 

(A22) 

and 

S^'{U)<Sl(U\Z) + Hi{Z) (A23) 

SUU) > S^' (U\Z) - HI (Z) . (A24) 

Proof. Let E z be the projectors defined by the measure- 
ment £ and let p uz be the state as defined in the proof 
of Lemma |A.1I Since, by assumption, the ranges of the 
operators E z , for z £ Z, are mutually orthogonal, the 
states p uz and p v have the same eigenvalues and thus 
SjjU Z) = S s a (U). Using this identity, SKTU follows 
from (|A19|) and (|A5|I . 

S e 2 W {U) > SI(U) - HI'(Z) > SI(U\Z) - Hl'(Z) . 
Similarly, l{A"2"2"jl follows from l|ATB|l and (|A7|) . 

SI(U) < SI(U) = S e 2 (UZ) 

< St s ' +s "(U\Z) + H S '(Z) + 21og(l/e") . 
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To prove (|A23|) . we use (|A16j) and (jUJl, 

S^'(U)<S^'(U) = St £ '(UZ) 

< S%{U\Z) + (Z) . 

Finally, l|A24|) follows from HA20j) and (|A5fl. 

Sg(C0 > ^ +e '(l>) - ^o'(^) > S £+£ '(tf|Z) - (Z) • 

□ 

3. The smooth Renyi entropy of symmetric states 

The goal of this section is to derive an expression for 
the smooth Renyi entropies of a symmetric state over n 
subsystems in terms of the von Neumann entropy of a 
corresponding state over only one subsystem. 

Let <7i , . . . , ad be density operators on TCu and let p^ 
be the symmetric state over TLf, n defined by 

pi ■■= M E ^ < 11 ® • • • ® a T d ) ( A25 ) 

where, for any n <E T% := {(m, . . . ,n<j) : X)< «i = n }> 
are nonnegative coefficients such that ^ n = 1. 

Similarly, for any d-tuple A = (Ai, . . . Ad) over R + , let 
ajj [A] be the density operator on TLu defined by 

au[X] :=E A '^ • ( A26 ) 

i 

Let £ be a quantum operation from TLu to TLy. The 
following lemma gives a relation between the smooth 
Renyi entropy of the symmetric state obtained by ap- 
plying £ to each of the subsystems of a purification of p v 
and the von Neumann entropy of the state obtained by 
applying £ to a purification of o\j [A] . 

Lemma A. 3. Let Puw ^ e a purification of the state p 7 ^ 
defined by (IA25I with coefficients p n and let Pvw := 
(£ <g> %w)® n (Pxjw) ■ Similarly, for any d-tuple X, let 
vuw[X] be a purification of the state cry [A] defined 
by (|A26|) and let a vw [X] := (£ (g> l w )(a uw [X}). Let f 
be a subset ofT[\ such that X)nef f-n > 1 — §■ Then 

5 !(Pvw) ~ nmmS((Tvw[A]) 
S'ofpvw) ~ nmax5(crvw[A]) 

where the minimum and maximum are taken over all A = 
(Ai, . . . , Xd) such that n(Xi, . . . , Xd) G T, and where the 
approximation is up to 0(dlog(n) +log(n/e)). 

The proof of Lemma lA.3l is based on the fact that there 
exists a measurement on au[X]® n such that the resulting 
state, conditioned on a certain measurement outcome, is 
equal to the state p^- The assertion then follows from 



the observation that this measurement does only change 
the entropies by a small constant. 

We start with the proof of a restricted version of the 
statement, formulated as Lemma TA . 41 below . which holds 
for states of the form (|A25|) where only one of the weights 
/x n is nonzero. Let \ipi) , . . . , \tp d } £ TLu®TLw be purifica- 
tions of the states <7i, . . . , ad, respectively, such that the 
partial traces tvu{P\ Vi )) are mutually orthogonal. For 
n = (m, ...,n d ) e T[\, let 

MS™ := -/=L= £ ttO^i)®" 1 ® • • • ® l^)®"*) , 

(A27) 

where 5„ denotes the set of all permutations 7r on n- 
tuples. Similarly, for A = (Ai, . . . , Ad), let 

d 

\f)uw : = E V 7 ^ l^> • (A28) 

i=l 

Lemma A. 4. Let Pu W [n] := P\^) a be the pure state 
defined by (|A27|) . /or some fixed n = (m, . . . , rid) € T^, 
and Zet p^ w [n] := (£ <g> l w ) 8 " l (/o?rw[n]). Moreover, /or 
A := (^, . . . , Zei <7£;w[A] := P\ v )* be the pure state 
defined by (|A28|) and let <Jvw[X] := (£ €5 1)(iJ[/w[A]). 
Then, for a <E {0, 2}, 

\S s a (Pvw[n\)-nS(a vw [X})\ < O(log(n/e)) . 

Proof. For any ie {1, . . . , d}, let be the projector onto 
the support of (£ (g> lvi/)(P| Vi )), which, by the definition 
of the vectors \ fi), are orthogonal for distinct i. Addi- 
tionally, let T : p i— > FqpFq +FipF± be the measurement 
on Hf n defined by 

F := E 

and Fi := l — i*o- We first show that 

PvwH - ^F (a vw [Xf n )F^ , (A29) 

where N := \S n \Uti X T ■ m 

Let (£ ® 1vk)(p) = 2™=i EapE^ be the operator- 
sum representation of £ (g> Ivk- Moreover, for any a := 
(cti, . . . , a„), let E a ■— E ai ® • • • <g> E an . The above 
equality can then be rewritten as 

a a 

It suffices to verify that equality holds for any term in 
the sum, i.e., 

E s |^ w = -^F E a \<p)^ , (A30) 

for any n-tuple a = {a\, . . . , a n ) on {1, ... , to}. Because 
of the definition of the projectors Pi, we have PiE a \<pj) = 
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E a \<Pj), if i = j, and PiE a \<pj) = otherwise. Hence, 
for any \(pi lt ..., in ) := |<£«) <8 ■ • • ® |</0> 



otherwise, 



where 8 n := U(\fi) ni f> ■ ■ ■ <E) Wd) nd ) ■ tt <E S n }. This 
implies (|A30ll and thus (IA29j) . 



Let p^yy be the state of the system after applying the 
measurement T to oyv^[A]®™, an d let Z be the classi- 
cal measurement outcome. In the following, we write 
S^(VW\Z = 0) to denote the entropy of p 7 ^^ condi- 
tioned on Z = 0. Then, according to 1|A29|) . 



S Q (Pvw[n]) = S£(VW|Z = 0) . (A31) 

Let e' := ±P z (0)e where P z (0) = tr^o^®^)^). Us- 
ing (|A12)l and (|Al2l) . we find 

Sf(VW|Z = 0) > s| £ \vw|z) 

>5l'(<7^[A]®")-l-21og(l/ £ ') . 

Similarly, using (|A13)l and l|AH . 

S£(VW|Z = 0) < S 2e '(VW"|2) 

<5 2£ '( W [A]^ n ) + l . 

Hence, because the smooth Renyi entropy of order 
is larger than the smooth Renyi entropy of order 2 
(cf. l|A17jl L we have 

SfV^) < Sf (VW|Z = 0) 



< 



S e (VW\Z = 0)<S 2 /(a®^) 



where the approximation holds up to 0(log(l/e')). Com- 
bining this with l|A31|) . we conclude 

siioTw) £ S s M w [n}) < S 2 /{aT w ) ■ 

The assertion then follows from the observation that 
Pz{0) > K which implies e' > and the fact that the 
smooth Renyi entropy of product states approaches the 
von Neumann entropy (see (jA18|) \ □ 

Proof of Lemma \A.fft It is easy to see that it suffices to 
prove the assertion for one specific purification of the 
states Pij and ajj. Let thus \$\) , . . . , \ifd) £ Hu <8> % 
be the purifications of <7i, . . . , <rj defined above. More- 
over, for any n £ LJJ, let p^j W [n} := P\^)» be the state 
defined by (|A27|I and let Puw := P\i>) wnere 



uv 



Similarly, for any A = (Ai, . . . , Ad), let <7;yw[A] := P\ v )^ w 
be the state defined by i|A28(l . It follows from these def- 
initions that Puw ^ s a purification of p^ and, similarly, 
o~uw [A] is a purification of pu [A] . 



For any n £ FJJ, let Hyy be the smallest subspace 
of TL^J 1 containing the support of the traces /)^[n] = 
tr w »n(pu W [n]). By the definition of the vectors \(pi), 
the subspaces Ti!^ are orthogonal for distinct n £ T^. 
Hence, there exists a projective measurement T onto the 
subspaces Tiu <S> Hyy . Consider the state pyw obtained 
when applying T to Pvwi ano - 1°^ Z be the classical out- 
come, i.e., Z takes values from the set T^. The entropy 
S e a (V n W n \Z = n) of the state p^ after the measure- 
ment, conditioned on Z = n, is equal to the entropy of 
p^r W [n] as defined by Lemma [A. 41 i.e., 

S s a (VW\Z = n)=S s M w [n}) . 
Hence, from (IA21j) and ljA14|) . 

S S M W ) > SI(VW\Z) - H (Z) 

> minS , 2 /2 (VW|Z = n) - H Q (Z) 
ner 

= mmS s 2 /2 ( f % w [n])-H (Z) . 
ner 

and, similarly, from (|A23|) and i|A15(l . 

^(Pvw) < S £ (VW\Z) + H (Z) 

<m^S £ /2 (p^ w [n])+H (Z) . 
ner 



Finally, from Lemma I A. 41 
|S Q /2 (pWn]) - nS a (a vw [X})\ < O(log(2n/e)) 

where A = ( — ,....—). The assertion then follows from 
the observation that H (Z) < log 2 (|r^|) < dlog 2 (n). □ 



APPENDIX B: ENTROPY OF ALMOST 
PRODUCT STATES 

Let AT be a classical random variable and let p x B be 
a quantum state depending on X. Clearly, if the states 
p B are equal for all x, then the entropy of X does not 
change when conditioning on the quantum system, i.e., 
S(X) = S(X\B). In this section, we show that, if the 
joint state describing X and p B is close to a product 
state, then the entropy change of X when conditioning 
on the quantum system is still small (cf. Lemma lB.2|) . 

We first need a lemma relating the trace distance of two 
density operators to the trace distance of purifications of 
them. 

Lemma B.l. Let p and p' be density operators and let 
\ip) be a purification of p. Then there exists a purification 
\ip') of p' such that 



S(P m ,P m ) < y/26(p,(/) . 

Proof. Note that the fidelity F is related to the trace 
distance 5 according to 



1 - F(p, a) < 5{p, a) < ^1-F(p,af 
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Moreover, Uhlmann's theorem states that there exists a 
purification \ip'} of p' such that 

F(p,p') = F(P m ,P m ) . 

Hence, 

8{P W ,P W) ) < ^l-F(P w ,P lr) ) 2 

= v/l-F(p,p') 2 
< y/2(l -F(p,f/)) 

□ 

Lemma B.2. Let pxb be a bipartite density operator of 
the form 

d 

PXB = ^2 PxP\x) ® Pb > 
x=l 

where {|x)}a;e{i,...,ci} * s an orthonormal basis of the first 
subsystem. If 

8{pxb,Px ® Pb) < £ , 

then 

S(X\B) > S(X) - V2elog(d) - 1/e . 

Proof. It is easy to see that the trace distance between 
Pxb and px ® Pb can be written as 

S{pxb,Px ® Pb) = ^2px(S(p x b,Pb)) ■ 

X 

Let if> be a purification of ps ■ According to Lemma IB. II 
for all x G {1, . . . , d}, there exists a purification \ip x ) of 
p B such that 

S(P^ h P w )<^2S(p B ,p B ) . 
Hence, using Jensen's inequality, 



x \ x 

Let now Pxbb' be the state defined by 

Pxbb' ■= ^2 ^ x ( P \ x ) ® P l *») ) ■ 

Note that, by this definition, pxs = trs/(/5xBB')- 
From the strong subadditivity, we have 

S(X\B) > S(X\BB') 

= S{XBB') - S{BB') > S{X) - S{BB') 



where the last inequality holds since 

S{BB'\X) = Y,»xS{p B x B ')>0. 

X 

Because the rank of pbb 1 is not larger than d, S(BB') 
can be bounded using Fannes' inequality, i.e., 

S( P bb> ) < S(P W ) + 5( PBB > , P W ) log(d) + 1/e . (Bl) 

Since pbb' — Y) T fJ-x(P\i/j x ))i it follows from the convexity 
of the trace distance that 

5{pBB',P\i,)) <^2px(5{P\^),P\^))) < \/2e . 

X 

Inserting this into (|B 1|) and observing that S(Pi^\) = 
concludes the proof. □ 

APPENDIX C: KNOWN RESULTS 

Consider two different measurement operations £ and 
J- applied to the individual parts of a symmetric state p n . 
Lemma IC.ll gives a relation between the measurement 
statistics of £ and T (see for a proof). 

Lemma C.l. Let p n be a symmetric quantum state on 
H® n , and let £ and T be POVMs on H with \£\ and \T\ 
POVM elements, respectively. Let Qx and Qy be the 
frequency distribution of the outcomes when applying the 
measurements £® k and T® n ~ k , respectively, to different 
subsystems of p n . Finally, let B be any convex set of 
density operators such that, for any operator A on n — 1 
subsystems, the normalization of tr n _i(l Ap n 1 A*) 
is contained in B. Then, for any e > 0, with probability 

at least 1 — 2' £ ' + '~ F 'e i~ , there exists a state a € B such 
that 

-5(Qx,P £ [a}) + <y(Q Y) P^M) <e, 

n n 

where Ps[o~] and Pr[o~] denote the probability distribu- 
tions of the outcomes when measuring a with respect to 
£ and J- , respectively. 

Lemma l(J. 21 below provides an expression for the max- 
imum length of a key S that can be generated from a 
string Z such that S is secure against an adversary hold- 
ing a quantum state p z E depending on Z. The proof can 
be found in 0] (see also jT^I- Note that Lemma IC.2I 
holds with respect to a so-called universally composable 
security definition. This implies that the final key S can 
be used in any context where a perfect key (i.e., a uni- 
formly distributed key which is completely independent 
of the adversary's knowledge) is secure. 

Lemma C.2. Let pzE be a density operator such that pz 
is classical, i.e., pzE — J2 Z Pz{z)P\ z ) ®Pe> where {\z)} z 
is a family of orthonormal vectors, and let e € M + . Let 
S be the key computed by applying a two-universal hash 
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function F mapping the value of Z to a value in {0, 1}^. 
Then S is s-secure with respect to pef if 

£<SI(ZE)-S^'(E)-2\og(l/e) , 

where e' = (e/8) 2 . 

The following lemma on error correction is a direct con- 
sequence of Lemma 4 from [23] (see also ^jj). Roughly 
speaking, it states that a message of length Hq(X\Y) is 
sufficient to guess the value of X when only Y is known. 

Lemma C.3. Let X and y be sets, let e € R + , and 

let m G N. Then there exists a probabilistic encod- 
ing function e : X x 1Z — > C, taking randomness with 



some distribution Pr such that the following holds: For 
all probability distributions Pxy on X x y satisfying 
Hf((X\Y) + log(l/e') < m, for e' = e/2, there exists a 
decoding function d : C xy — > X such that the probability 
of a decoding error is smaller than e, i.e., 

Pr r), y) = x] > 1 — e 

(x,y,r)^PxY^Pn 

and the encoding C := e(X, R) gives no more than m bits 
of information onX, i.e., 

H a (C) - H^CIX) < m . 
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If Alice and Bob initially share a short key, they can use 
a classical authentication scheme in order to implement 
an authentic channel. 

One possibility to deal with imperfections of the source 
or the detector is to include them into the model of the 
quantum channel (where dark counts might, e.g., be re- 
placed by random bits). This, however, corresponds to 
a situation where Eve has partial control over these de- 
vices, which might be unreasonable. 

For a fixed attack, the QBER might still take different 
values with certain probabilities. (Note that the average 
QBER is irrelevant in this context.) 

Error correction and privacy amplification might also be 
combined into one single protocol step. 
This is not true for the first security proof of QKD against 
the most general attacks due to Mayers , which is based 
on different techniques. 

The proof technique introduced in fl^l applies to most of 
the known protocols with one-way error-correction and 
privacy amplification (bu t without pre-processing). It is 
based on the result of jl4| and the fact that the rank of a 
purification of Alice's and Bob's system can be bounded. 
We will see in Section 11111 that one can always assume 
that all these particle pairs are measured with respect to 
the same basis. 

For a definition and constructions of two-universal hash 
functions, see, e.g., l2ll l or I22V 



[35] 

[36] This means that c^'lf has the same diagonal entries as 
[37 



o~ab with respect to the Bell basis. 

If this is not the case, one can always change the protocol 
such that some of the data bits are discarded, without 
reducing its rate. 

If the data bits are measured with respect to different 
bases, the argument must be repeated for each basis. This 
is, however, usually not needed. In fact, for an optimal 
performance of the protocol, one of the encodings should 
be chosen with probability almost 1 whereas the other 
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encodings should only be chosen with some small prob- 
ability |23 |. (The bit pairs resulting from the latter are 
then only used for parameter estimation.) This reduces 
the number of qubit-pairs lost in the sifting step. 

[39] Let oabz be a tripartite quantum state of the form 
(tabz = J2 Z Pz(z) o z ab ® P\z)> where {\z)} is a family 
of orthonormal vectors. We say that A <— Z <— B is a 
Markov chain if oabz = J2 Z Pz{z) o\ ® °b ® i- e -i 
the state in the subsystem A is fully determined by the 
classical value z. 

[40] We assume here that the encoding with respect to the z- 
basis is chosen with probability almost one (see also the 
discussion in Section ITTTI and |23f ) such that the number 



of bit pairs discarded in the sifting step is negligible. 
[41] For any given value of the QBER, the value 8 is defined as 
the parameter of a depolarizing channel p (1- 25) p + 
SI which produces the same QBER when employing the 
protocol. 

[42] In general we have Q = S/(j 2 (l — 28) + 28), where = 
4a 2 (l-Q 2 ). 

[43] A quantum operation £ is unital if £ is trace-preserving 
and if the fully mixed state is a fixed point of £. Formally, 
if p i — ► J2 z E z pE\ is the operator-sum representation of 
£, then J2 Z EtE x = E Z E\ = 1. 



